On Mon, Jan 19, 2015 at 11:27 AM, Mike West <mkwst@google.com> wrote: > On Mon, Jan 19, 2015 at 8:12 PM, Brian Smith <brian@briansmith.org> wrote: > >> Another way of phrasing this question is "Is an empty policy >> equivalent to no policy?" >> > Yes. > ​Mozilla's original vision (and implementation, for that matter) was that an empty policy failed closed and broke your site. Everything we thought dangerous (within the purview of the spec) was turned off until the site authors explicitly turned it back on. This approach fell apart the first time we thought of something new to block on websites: suddenly sites that had been working fine with CSP broke until they updated their policy. The approach worked OK for brand new web features because those sites presumably wouldn't have been using that feature anyway, but it failed miserably when we wanted to widen the scope of CSP (incorporating X-frame-options functionality, sandboxed iframes, now enhanced mixed content blocking). Sites were punished for having tried to use a security feature. Rather than have the presence of the CSP header be the opt-in to a fully restricted state, the individual directives are the opt-in for that sub-set of the specification. -Dan Veditz
Received on Sunday, 25 January 2015 22:55:40 UTC